Friday, March 30, 2007

$200 a week PowerGUI draw

We've had an internal contest to award cash to Quest employees who build useful tools on top of PowerGUI. We're extending that contest externally now. Dmitry Sotnikov blogs about it...

In order to celebrate PowerGUI launch Quest Software, is setting up a weekly draw of $200 Amazon certificates among the folks submitting PowerGUI packs to the Library at

The rules are pretty simple:1. Run PowerGUI. 2. Add a few nodes to the tree and a few actions to the right-hand pane (see flash demos in the documentation section for instructions on how to do this.) 3. Export the new functionality and post your file to the Library.

Each Sunday we will do a draw and randomly pick one of the submissions (tip: submit two packs to double your chances ;)). I will then send a private message to the winner to learn the contact information I could pass to the guys at Quest who will send you the certificate.

That’s it! Pick the area you know and post something that you consider useful and you’ll get a pretty good chance of winning!

Here's your change to jump on the PowerGUI band wagon and maybe grab some cash!

Technorati Tags:
, , , , ,

Thursday, March 29, 2007

PowerShell announcements & PowerGUI

Lots of coverage about PowerShell during the Microsoft Management Summit and some nice coverage of the PowerGUI website and software. Quest Software issued a couple of press releases about our integration plans for PowerShell. Our efforts were also blogged about on Microsoft's PowerShell blog!

PowerGUI was demo-ed by Quest during the session of Jeffrey Snover and with PowerGUI you have an graphical interface for PowerShell. It's even more it's an extensible administrative console based on Windows PowerShell. So you can start with an graphical interface and look at the PowerShell script for later use. How cool is that?

My buddy Dmitry Sotnikov has lots of good technical information over at his blog about PowerShell. Dmitry is the man behind the curtain for our website and our PowerShell efforts.

Technorati Tags:
, , , , , ,

Wednesday, March 28, 2007

Next stop on the reality tour is...

Reston, VA!

I'll be meeting customers and holding a customer roundtable with Microsoft at the Microsoft Innovation and Technology Center on Thursday, April 19th 9:00 am to 12:00 pm. If you're interested in attending please register with us. See you there!

SIMPLIFY IDENTITY MANAGEMENT - Managing your Multiple Identity Disorder

Despite directives and regulations such as HSPD-12/FIPS 201 and FISMA, and the ongoing climate of heightened security throughout the federal government. Most defense and civilian agencies are still struggling with how best to resolve critical identity management challenges such as provisioning, de-provisioning, single sign-on and change auditing. In addition, agencies are being asked to meet these challenges with very limited budgets.

Wouldn’t it be a relief to know that you already own most of the pieces you need to solve this mission critical puzzle? Please join our panel of distinguished industry experts to learn how you can leverage your existing infrastructure investments to meet your most pressing identity management needs.

Technorati Tags:
, , , , ,

Thursday, March 22, 2007

More details on Novell's DS4W

There's a sneak peak article on Novell's Open Enterprise Server 2 that can be found in Novell's Connection Magazine. It includes discussion of many of the new capabilities and features of OES2 including additional information on Novell's Domain Services for Windows.

To my previous point about "simplification" here's an excerpt:

Note that this is not desktop emulation, nor is it synchronization between eDirectory and Active Directory. Rather, it employs server-side authorization and authentication that allows Windows users to access a Novell server using native Windows protocols, as well as providing seamless cross-authentication between Active Directory and eDirectory. In other words, it lets your users work in a pure Windows desktop environment while still letting them take advantage of all the Novell back-end services and technology.

The beauty of Novell's efforts is the fact that a company does not need complicated metadirectory, directory synchronization or identity management software to enable these benefits. They have simplified the environment and there are tremendous advantages to this.

Earl Perkins from Gartner was kind enough to leave a comment on my previous post where I responded to Craig Burton's comments. Earl raises a good point and I must say that at the end of the day it does not matter one bit what Jackson, Craig or Earl think about Novell's efforts. What matters is the market. Will the market see the benefits of this and shell out money for this product?

If the answer is yes, then Novell has a winner.

Technorati tags: , , , ,

Wednesday, March 21, 2007

Too little, too late?

Craig Burton responded to my post yesterday regarding Novell's demo of their new Domain Services for Windows beta. I'm awfully flattered to see that Craig is reading my blog. Craig was instrumental behind Zoomit's metadirectory product and I have had the privilege of knowing Craig and his wife Judith for a long time now so I have a ton of respect for him.

Craig's sole comment:

Yawn. Too little too late. Who cares? Novell has slid to the

The main point I was trying to make was simply the fact that they have actually accomplished interoperability. No metadirectory needed, no synchronization, no smoke and mirrors. I love simplification.

Will it be a commercial success for Novell? Will it turn around Novell's fortunes? Will it make a difference? Frankly, I think you're right Craig. In the bigger picture it probably is too little, too late.

Technorati tags: , , , ,

Tuesday, March 20, 2007

Now that's interop!

Check out Novell's BrainShare keynote for an amazing demo of the interoperability they have built between Novell eDirectory and Microsoft Active Directory. You can fast-forward to the demo if you're impatient. It's at 1:15:43 and it is awesome.

In an earlier post (Jan. 18/07) I mentioned that BrainShare would be the first true test of the agreement - Would a Microsoft executive speak? Answer = yes! Craig Mundie from Microsoft was on-stage with Novell's CTO for a fireside chat.

Novell basically demoed the software I mentioned in yesterday's post called Novell Domain Services for Windows. Some of the key things shown during the demo included:

  • Creating a user via the ADUC MMC but the user created is actually added to eDirectory
  • Modified the added user via iManager and refreshed the MMC to see the change appear
  • Set up a two-way trust between two companies ( and
  • Enabled sharing a folder in one company for a specific user in the other company
  • From the other company logged in as that user and accessed that resource

Very nice indeed. Good work guys!

Technorati tags: , , , ,

Monday, March 19, 2007

Novell Domain Services for Windows

Today Novell announced something called "Novell Domain Services for Windows" which appears to be ready to go into beta test. So what is it you ask? Here's the synopsis:

Domain Services for Windows lets Windows desktop users take advantage of Novell back-end services and technology without using a Novell Client. It allows Windows users to seamlessly access Novell servers using native Windows protocols, as well as provides cross-authentication between Microsoft Active Directory* and Novell eDirectory™. With this integration, customers can easily drop Linux servers into Windows environments. Using either Novell iManager or Microsoft Management Console to manage the network, IT administrators can standardize on fewer desktop images and have one less component to update and manage on the desktop, resulting in lower IT budgets.

So what exactly does this mean? Maybe more will be discussed at BrainShare? Certainly sounds interesting...

p.s. Didn't see anything on Port25 about this topic - at least not yet. Or, at Microsoft's press release web pages but it was announced by Novell today.

Technorati Tags:
, , open for business! is now open for business! We're opening it a week before the Microsoft Management Summit to work out any last minute kinks prior to the "official" launch next week.

Here's a few of the interesting PowerPacks that have been posted so far...
  • Key Management Service (KMS) reporting - This snapin extracts Vista activation data from corporate Key Management Service (KMS) installations and allows administrators to monitor and ensure Vista licensing compliance.
  • Purge Log files on Exchange 2007 servers - Script is used to purge log files on Exchange 2007 servers
  • Retrieving DNS Records for LCS 2005 - LCSUtils-DNS.Ps1 is a simple DNS verification tool for LCS. It takes the name of a LCS enterprise pool and reports DNS records that are configured for this pool ( A record and SRV record) Syntax : .\LCSUtils-DNS.ps1 -LCSServer

Technorati Tags:
, , , , ,

Friday, March 16, 2007

Unix, Linux, mainframes and Windows oh, my

Interesting article over at Network Computing about "User Friendly Linux". What struck me as noteworthy was a chart - with stats attributed to Gartner - that they had titled: "What is the makeup of your major enterprise data center?"
  • 40% of respondents have Mainframe, Unix, Linux and Windows
  • 24% have Unix, Linux and Windows
  • 14% have mainframe, Unix and Linux
  • 10% have Unix and Windows
  • 4% have Mainframe and Windows
  • 3% have Linux and Windows
  • 1% have Mainframe and Unix
  • 0% have Unix servers only

Now if I cut the numbers a different way...

  • 95% of respondents have mainframe, Unix, Linux with Windows
  • 58% of respondents have a mainframe with Windows
  • 37% of respondents have Linux or Unix with Windows - no mainframe

Message: Clearly, the mainframe is still alive and I am willing to bet there are a lot of identities out there that are mainframe-based...

Technorati Tags:

Thursday, March 15, 2007

I'll have the single sign-on with a side of car crash...

I had a nice lunch today with Andy Sakalian of Version3. They've built some pretty good Web single sign-on software that has good traction in the education market. They are also building out their products into some new areas including SharePoint and support for ADAM.

Interesting to hear that they really don't see anyone implementing ADFS but when they do see it happening it's usually accompanied by a lot of teeth gnashing and a costly services engagement. I really think Microsoft has missed the boat on ADFS. There is no SharePoint "out-of-the-box" scenario that supports ADFS. Andy says that they are getting asked about interoperability with SAML which doesn't surprise me.

Anyway, we had a nice lunch despite the fact that it started off with someone running into the side of my car before we got to the restaurant. No one was hurt fortunately. No airbags were deployed but you can see the passenger side of the car - where Andy was sitting - was pretty much wrecked. Andy had to crawl over the driver's seat to get out of the car as both doors are unopenable.

Dude, sorry I had to make you sit in the back on the way back to Microsoft. That smell back there is from my standard Poodle so at least it's a French perfumey type smell...

Technorati Tags:
, , , ,

Sun on Linux Identity Management

Interesting interview of Terry Sigle - Sun Microsystems' Linux and ID management guru - on Sun and Linux Identity Management.

Terry states that the reason that ID management is so important in the Linux space is "because it has the highest adoption rate of them all". I don't discount that but frankly I see Linux as Windows NT. Anyone can put one up. You don't need corporate approval. And as the box becomes mission critical to the business unit, group or corporation over time you end up with yet another "island of identity" that needs to be integrated.

Interestingly enough Terry mentions Active Directory in his response to a few of the interviewers questions about application provisioning and provisioning generally. Unfortunately, the way forward from his perspective is the use of standards like OpenSSO, SAML, Lasso, etc.

My question is: When will legacy applications like SAP, Siebel, Oracle, etc. etc. incorporate these standards? When will mainframes and mid-range systems integrate with these standards?

Why are we all talking about the standards and not getting our legacy apps integrated or pushing those vendors to integrate? I can assure you that we (Quest) are not going to throw out our CRM system for one that supports any standard - we've invested far too much money to do that. Far too much.

Technorati Tags:
, , ,

Wednesday, March 14, 2007

Have identity, will travel

That's the title of an excellent article by my friend Gerry Gebel of The Burton Group on the subject of federation. It appeared in the January 27 issue of Network Computing. Gerry gives a great overview of the two competing standards in this area (WS-* and SAML) and briefly discusses the emergence of a new proposed standard called WS-SX.

Gerry gives a lucid overview with plenty of diagrams - something that it love to see. If you need an overview of federation this is a good starting point so check it out. A few things that I'd like Gerry or someone else to address at some point...

- How are firms that have implemented external federation solved the legal challenges involved?

- What progress, if any, is being made on federation of "thick client" applications? I'm glad we have solved web-based federation but there's still a lot of thick clients out there.

- What's the latest on externalization of authorization information amongst the platform vendors? Not just from a federation perspective but simply from building a web application.

Gerry concludes his article by stating that "making federated IdM work requires a delicate balancing act". I couldn't agree more.

Technorati Tags:

Tuesday, March 13, 2007

Drink up, you'll earn more money.

Thank you CIO Magazine (Mar. 1, 2007) for this one:
Drinkers earn 10 percent to 14 percent more money at their jobs than teetotalers.

Key take-aways from this...
  • If you are not a drinker start drinking and ask for a raise. Maybe have a drink and then go and ask for a raise.
  • If you are a drinker, tell your boss that you feel you are being paid at the teetotaler rate and ask for a raise.

Monday, March 12, 2007

Ring of fire

I've blogged a couple of times about my customer visits in New York City. I want to recount the situation at a insurance company that I visited with. I've worked in IT at a couple of companies including a fairly sizeable one and I've seen a awful lot of bad practices but what I saw there was, in my opinion, out of control.

The company is global. They have operations in many countries around the world. Their Active Directory is set up on a regional basis versus a functional basis. This has come about for a couple of reasons: each region had their own NT domain and each region wanted their own autonomy. OK, sounds somewhat typical of many companies. What's the problem?

Each NT domain is being migrated into a seperate Active Directory forest.

Unfortunately, the regions do not trust headquarters so they are completely against centralization of any control whatsoever. In addition, each region has a CIO that reports into the regional executives but is only dotted line to the global CIO. The result is that each CIO does what they want and what they want is control and control translates to owning their own AD forest.

The folks I talked were basically stating that they were not seeing any benefit to their migration to Active Directory. Even with the security implications of not de-provisioning staff quickly - something that they were already burnt by. At least they were in a position to understand that they weren't getting any benefit but can they make the leap to understanding why??

My prescription:
  1. Educate senior management on the problem and costs of the current path the company is going down.
  2. Get a highly experienced Active Directory architect to build the global plan.
  3. Get a highly experienced project manager to execute the global plan.
  4. Educate the regions on Active Directory capabilities, engineering and benefits (i.e., delegation).
  5. Force regional IT take their marching orders from the global CIO's office.
  6. Reward the regions that move to the global forest by enabling them to keep their budget dollars. Freeze budgets for those that don't within a period of time.
  7. Start kicking butt and taking names.
Technorati Tags:

Sunday, March 11, 2007

Spring has sprung in Seattle

Being an eastern Canada guy it still amazes me when this happens...I do love living on the west coast!

Did you mean: dsl? Actually, no. I really meant dst.

Actually, no. I really meant "dst". That's the response I got to "dst" when I checked Buffalo Technologies support page this morning. Looks like the only computer-based product at Quest Software's Bellevue office that isn't showing the correct time today is Buffalo's TeraStation. The TeraStation is a 1Tb NAS-attached Linux device that I use for backups and storage of my digital pictues.

My VCR is also showing the incorrect time but I'm assuming that will sort itself out since it is "automatic" - in theory.

I'm hoping the TeraStation sorts itself out to. It's supposed to use NTP to set its time so...

Saturday, March 10, 2007

DST change worse than Y2K?

I remember that Y2K was such a non-event and I don't think it was because of the kazillion dollars that the world spent on it either. I am worried about DST though. In fact, I am worried about it more than Y2K.

What if my ReplayTV doesn't "fix itself"? Geez, when I fire up Boston Legal I'll actually be watch Maury Povich or something else?! Or maybe the Rev Gene Scott? Well, actually, that'd be really interesting since he's dead and his wife is leading the show now. But that would certainly prove that he was right. Anyway, I digress.

Let's see what happens this weekend. Should be fun, eh?

Friday, March 09, 2007

Centralized Identity Management Can Help Curb The Insider Threat

It appears that the study I mentioned in the previous post was picked up by Information Week so I'll highlight some of the findings:

  • 64% of the 627 IT pros surveyed say their companies use identity and access management technology.

  • 14% avoid identity and access management because it's too difficult to deploy or because they're content with manual methods of identity management

Not too suprising a number there.

  • About half of the remaining respondents who don't use identity and access management technology say this is because the technology is too expensive

I guess the ISVs need to do a better job and start building some products that don't take 2-10X in services to get installed - and cost less to acquire the software.

  • 13% of respondents have centralized identity and access management

  • 18% of respondents indicated that this information is managed based on geographic location rather than from a central, company-wide location

Interesting. Is it possible for the average enterprise to have more than one identity management solution? Yes. In fact, some of the customers that I met with on my latest leg of the reality tour had more than one solution. Now that's scary!

  • Another top reason (to track employees) is the ability to track the activities of privileged users (e.g., system admin, DBAs) with access to critical applications or databases. About 64% indicated it was "very important" or "important" in providing them the ability to detect and prevent disclosure of confidential or private data.

So 1/3 of respondents didn't think it was that important to track these highly privileged users? Now that's double scary!

Technorati Tags:

Customer roundtable in Manhattan

We hosted a customer round table in Manhattan last week at Bobby Flay’s Bar Americain. They have a nice private room upstairs where we had dinner with about thirty customers including Lehman Brothers, Goldman Sachs, Comcast, Merrill-Lynch, MetLife, Sirius Radio, St. Barnabas Health Care, HSBC and a cast of others (apologies if I forgot a name).

The dinner was awesome but we really had the opportunity to foster communication amongst our customers and talk about identity management, Unix/Linux integration with Active Directory, migration and other hot topics. Over the three days I was in the area I met with many customers and had the pleasure to take complaints, product suggestions and talk about futures. A number of common topics that cut across the customers I met include: IPSec as it pertains to supporting NAP/NAC, smartcard deployments and my favorite topic of late: externalization of authorization information.

Hats off to Microsoft, too. They were in attendance in force. It was great to see some of the local folks who I used to work with when I was in Redmond. Thanks Susan, Greg, Anthony and Kyle. You guys were great. I really appreciate your support and I know our customers do, too.

Technorati Tags:
, , , , ,

Thursday, March 08, 2007

General stupidity...

I came across an interesting pdf document titled "Survey on Identity Compliance" today. Of course, I fired it up to read it. The thing that bothers me the most about the document is not the results or the contents generally but the big warning on the title page:

Private & Confidential Document. Please Do Not Quote Without Express Permission.

So it's posted to the internet to keep it private and confidential? Plus they ask me to "please do not quote without express permission". Does the please mean that I can still quote? I don't know.

It's just stupid.

PowerShell & PowerGUI

Quest is jumping on the PowerShell bandwagon in a big way. We're going to make a bunch of announcements at the Microsoft Management Summit in Las Vegas at the end of the month. Quest will also be launching a new web site to help foster a community around PowerShell. We're building PowerShell cmdlets for Active Directory, MIIS and even building cmdlets that can span the Unix/Linux/Windows boundary.

It's all pretty cool...

Technorati Tags:
, , , , ,

Microsoft Signs Up 1st Licensee for Code

We signed up today as the first licensee in the Microsoft Work Group Server Protocol Program (WSPP).

The license gives Quest access to communications protocols used by Windows work group servers -- which control office tasks such as printing or sharing documents.

All the cool stuff that we wanted to do now we can do. I'm actually pretty surprised that IBM, Sun, Novell and Oracle haven't signed this agreement yet. They were the ones pushing for it. I simply see this as a way for us to build better products and offer greater value to our customers. Isn't that what they want to do, too?

Technorati Tags:

Friday, March 02, 2007

Beautiful but...

I had a customer meeting yesterday over in New Jersey. The meeting room had this absolutely awesome view of the Manhattan skyline, the Hudson River and the Statue of Liberty to the south. I marvelled in how lucky I was - and the customer was - to have such good fortune to be there.

But, there was that pain that I am sure many of us get when they look at this skyline and remember what it used to be like. I took the picture below in the early 80's...

Thursday, March 01, 2007

Cobbler's children

I received this email today regarding my identity partner's account that I have at Microsoft. Isn't it unfortunate that given Active Directory Federation Services (ADFS) and CardSpace that I have to do this?

Shaw, Jackson, The password for the extranet account issued to blah\JShaw will expire on Mar 15 2007. Please proceed to the following URL to change the password:

NOTE: Failure to change the password before the expiration date will result in the account being locked and access will no longer be provided.

Thank you, The Extranet Management Tool Team

For assistance, please contact your administrator, site owner or support team.

I have zero time to figure out who my administrator, site owner or support team is.

I do know my Quest userid and password and wouldn't it be nice if that just worked??

Technorati Tags:
, ,